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This paper begins with a simple proof of the existence of squash operators compatible with the 
Bennett-Brassard 1984 (BB84) protocol which suits single-mode as well as multi-mode threshold 
detectors. The proof shows that, when a given detector is symmetric under cyclic group C4, and 
a certain observable associated with it has rank two as a matrix, then there always exists a corre- 
sponding squash operator. Next, we go on to investigate whether the above restriction of 'rank two' 
can be eliminated; i.e., is cyclic symmetry alone sufficient to guarantee the existence of a squash 
operator? The motivation behind this question is that, if this were true, it would imply that one 
could realize a device-independent and unconditionally secure quantum key distribution protocol. 
However, the answer turns out to be negative, and moreover, one can instead prove a no-go theorem 
that any symmetry is, by itself, insufficient to guarantee the existence of a squash operator. 



Quantum key distribution (QKD) is a technique for 
distributing information-theoretically-secure secret keys 
between two parties connected by a quantum channel. 
The oldest and now defacto standard protocol for QKD 
is the well-known Bennett-Brassard 1984 (BB84) proto- 
col Several different approaches are known today 
for proving its unconditional security @, H, 0, Q; e.g. 
one based on virtual entanglement distillation protocol 
(EDP) 0, E| and another based on the complementarity 
of quantum theory [1] . 

The most widely used of these approaches is the one 
based on EDP, where an actual QKD protocol is con- 
verted to an equivalent and virtual EDP performed by 
Alice and Bob. The conversions must be made so that 
Alice's and Bob's quantum operations are seen by Eve 
to remain the same positive operator valued measures 
(POVM); i.e., Eve's information regarding the secret key 
bits is not changed by conversion. In the original versions 
of EDP-based proofs @, S], one needed to assume that 
the actual protocol had access to a perfect single-photon 
source and photon-number resolving detectors. However, 
this assumption is invalid for real- world QKD systems, 
which use attenuated lasers as light sources, and the re- 
ceiver uses 'threshold detectors,' which can discriminate 
a nonzero photon state from the vacuum, but cannot de- 
termine the exact photon number. 

In fact, techniques are already known that can fill 
these gaps. As for light sources, by exploiting decoy 
states, lasers can be driven to effectively emit single- 
photon pulses M. One of the known solutions for de- 
tectors [3, H, [U is the powerful theoretical tool called 
'squash operator'. Squash operator is a quantum opera- 
tion which transforms an incoming n-photon state to a 
qubit state. By incorporating this operator into a con- 
ventional type of security proof where Bob has a photon- 
number discriminating detector, one automatically ob- 
tains a new proof that remains valid even if threshold 
detectors are used. A squash operator was first assumed 
in the security proof by Gottesman et al. [3j|, however, its 
existence was only conjectured, no proof was given. For 
threshold detectors, which are sensitive only to single- 
mode photon pulses, its existence was proved first by the 



present author and Tamaki [7|, and also independently 
by Beaudry et al. 

The aim of this paper is to investigate how far we can 
generalize this result from the viewpoint of symmetry 
constraints imposed on the detector. In the first half 
of this paper, we show that when a given set of POVM 
is symmetric under transformations of cyclic group C4, 
and the observable M z related with it has rank two, then 
there always exists a corresponding squash operator com- 
patible with the BB84 protocol (Theorem 1). An imme- 
diate corollary of this theorem is that a squash operator 
exists, not only for single-mode threshold detectors, but 
also for multi-mode threshold detectors. Next, in the sec- 
ond half of the paper, we tackle the question of whether 
the above restriction of 'rank two' can be eliminated. The 
answer, however, turns out to be negative. Furthermore, 
it can be shown that, more generally, no symmetry is 
sufficient by itself to guarantee the existence of a squash 
operator (Theorem 2). 

Definition of Squash Operator. — In the BB84 proto- 
col, Alice and Bob use two different bases, r, for their 
measurements, interchangeably. They are usually de- 
noted as the z and the x basis (r = z,x) because they 
are related to qubit measurements of the Pauli matrices 
a z ,a x . Similarly, the notation of r = +, x bases is used 
to indicate the directions of photon polarization. In what 
follows, we stick to the notation of r — z,x for the sake 
of simplicity. 

We denote the Hilbert space of the receiver's incoming 
states as He- In this space, there are two sets of POVM 
elements, M/ r M, corresponding to basis r = z, x and the 
output bit b — 0, 1. We also define observables M r := 
M(r.o) ~ M{r,i) for later convenience. For example, if a 
receiver measures state ps G 7~Cb using the x basis, he 
observes output bit b = with the probability P( x ,o) — 
Tr (/)bM( i )) ■ We also assume that the measurements 
are complete for each basis; that is, 

M (r , ) + M [rA) = l B (1) 

holds for r = z, x, where Is is the identity operator of 
'Hb- 
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Squash operator F is a completely positive trace- 
preserving (CPTP) map with the following properties 
[lj]. F maps states in Kb to those in qubit space Tic, 
and, when F is followed by the z or the x measurement 
in Tic, it reproduces M r of the actual measurement de- 
vice. That is, for an arbitrary mixed state ps G TL B , it 
satisfies 



Tr (F(p B K) = Tr [p B M r ) for r 



(2) 



with ay being the Pauli operators. A convenient way of 
describing F is to use an operator sum representation 
with a set of Kraus operators F c (see, e.g., [12|].) in this 
notation, the trace-preserving condition of F takes the 
form ^2 C F^F C = Ig. Complete positiveness is guaran- 
teed as long as F is expressed as F(pb) — J2 c FcPbF£. 
This notation has the additional merit that the Hermi- 
tian conjugate, F\ of F can be expressed in simple form 
as F^(pc) = P^PcFc with p c being an arbitrary state 
in Tic- By using these relations, the definition of squash 
operator F for M r given in ((2]) can be equivalently stated 
as the following two conditions for Kraus operator F c , 



c 



(3) 
(4) 



Cyclically Symmetric POVM for the BB84 protocol. - 
In the first half of this paper, we show that F actually ex- 
ists for multi-mode threshold detectors as well. Against 
this goal, we generalize the problem slightly by taking up 
finite group C4, i.e., a cyclic group of order 4, and con- 
sider POVM elements M( r f) ) which are symmetric under 
its transformations (for details of C4 group, see, e.g., 0].) 
The C4-symmetry of M( rb j is stated rigorously as follows. 

Definition 1 A set of POVM elements {M {rf)) } of BB84 
type is C4- symmetric, if there exists unitary operator U 
satisfying U Ak —1b with k £ N, and it transforms them 
as follows 



UM (zM U^ = M {x>b) , 
U 2 M {rM uV = M M _ 6) . 



(5) 
(0) 



Intuitively, operator U corresponds to rotating a detector 
spatially by 45 degrees, when polarization encoding is 
used. It can be better seen if we newly define operators 
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, L-i as L 
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(z,b) 



and L 2b +i 



M (x,b) for b 



0,1. The relations (O and ^ can thus be rewritten 
as UL C U^ = L c+ i, where modulo 4 is assumed in the 
summation of index c. Note here that, with U being a 
45-degree rotation, we have U 8 — Ib instead of U 4 = Is. 
This example demonstrates why we needed to consider 
cases of fc > 1 in Definition 1. 

Theorem 1 If a given set of POVM elements {M( rb }} 
of BBS '4 type is C4- symmetric, and the rank of the corre- 
sponding observable M z ( or equivalently, M x ) as a matrix 



is two, there always exists a corresponding squash opera- 
tor compatible with the BB84 protocol. 

Here, it should be noted that the restriction of 'rank two' 
does not necessarily mean that the Hilbert space TLb is 
a qubit space, as illustrated by the following example. 

An important example of Gi-symmetric POVMs is the 
threshold detector. In this paragraph, following 0, [1], 
we concentrate on photon detection modules consisting 
of two photon threshold detectors, each of which corre- 
sponds to output bits b = 0, 1; we call such photon detec- 
tion units simply 'threshold detectors' with a slight abuse 
of the terminology. We also assume that, when both de- 
tectors click coincidently (double-click events), the de- 
tection system outputs a random bit as its output, b. 
However, we differ from [7|, |8| in that we do not restrict 
ourselves to a single mode, but assume that an incoming 
light pulse may have m > 1 modes of propagation; we la- 
bel each of them by index i. We also denote the number 
of photons in mode i as n^, and let N — (n\, ■ ■ ■ , n m ). 
Clearly, any threshold detector is block diagonalized with 
respect to the photon number configuration N, and there 
is no loss of generality in considering each of the blocks 
individually when analyzing security. For each such sec- 
tion, N, the observables M r can be written as a matrix 
with rank two 

M r = \N;r, 0) (N; r, 0| - \N; r, 1) (N; r, 1| (7) 

for r G {z,x}, where 

\N;r,b) :=A N (a\^( a l b r---(al rb r-\0). (8) 

Note here that M r has rank two because double-click 
events are replaced by a random bit in our model, and 
thus all states besides \N;r, 0) and \N;r, 1) are can- 
celled in the subtraction M r — M( r ) — ^-(r,V) ( a s i m_ 
ilar argument can be found in flOlj.) Coefficient An 
in is the normalization constant for state \N;r,b), 
and a\ rb are the creation operators for photons propa- 
gating in mode i, having bit value b of basis r. In ac- 
cordance with the usual notations of Pauli matrices, cre- 
ation operators a\ rb for two bases r — z, x are related as 

a Lb = 7f (4*0 + (- 1 ) h «l z i)- Th e single-mode thresh- 
old detectors discussed in @,H[ correspond to the special 
case of m = 1. C4-symmetry can be shown by using an 
explicit form of the transforming operator Un, 



Un = exp 



-Y 
2 ^ 



(4 



y o a iyO 



The creation operator along the y-axis appearing in 
the above equation is defined as a\ yb — (a\ z0 + 

l {-l) b a\ zl )/V2. 

From these facts, and also from Theorem 1, it immedi- 
ately follows that a squash operator exists, not only for 
single-mode threshold detectors, but also for multi-mode 
threshold detectors. 
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Proof of Theorem 1. Here we give only the proof 
for k = 1, since all other cases (k > 2) can be shown 
by exactly the same argument. As can be seen from 
U 2 M Z U^ 2 = —M z , for each normalized eigenstate \v) of 
M z with an eigenvalue < A < 1, there always exists an- 
other eigenstate U 2 \v) having a different eigenvalue —A, 
and thus is orthogonal 

(v\U 2 \v) = 0. (9) 

From this, and since the rank of M z is two, it follows that 
M z takes the form 

M z = \(\v)(v\~U 2 \v){v\UV). (10) 

By using a basis that diagonalizes U, we can always de- 
compose \v) as 

3 

\v) = ^> c k>, (ii) 

c=0 

with U \v c ) = i c \v c ). Then, from we see that coeffi- 
cients fii satisfy 

lMo| 2 + lM2| 2 = |/ii| 2 + k3| 2 = i (12) 

We now define a completely positive, but not necessar- 
ily trace-preserving map, F, with a set of Kraus operators 
F , Fi, . . . , F 3 which take the form 

F c = V2X(n c+1 \0 y )(v c \+ n c \l y )(v c+ x\) (13) 

if Hc^t+i 0, otherwise F c — 0. In (fT3|) . modulo 4 
is assumed for the summations of index c. From the 
linearity of F* , we obtain the following relation 

3 

F\a z + ia x ) = F\(°z + i°x)Fc 

c=0 

3 3 

= 2^F c t|0,)<l lJ |F c =4A^ Mc /i: +1 |« c )( Wc+1 | 

c=0 c=0 
3 

= A^Yt/»(t;|[/ tc = M z + iM x . (14) 

c=0 

Similarly, from eqs. (Tj"2"|) and (H2J), we have F^fjc) — 
T, c =o F c F c < Ib- Furthermore, F can be modified such 
that it satisfies the trace-preserving condition ([6]), and 
also maintains relation F^(a z + ia x ) = M z + iM x , ob- 
tained in (|14|) . This can be done by introducing extra 
Kraus operators F c , c > 3, having the form F c = \b y ){ijj c \ 
with b = or 1. 

That the CPTP map F thus obtained also sat- 
isfies <j5j> for r = z can be shown as F^(ct z ) = 
iFt ((<r z + + H.c.) = \{M Z + iM x ) + H.c. = M z , 
where 'H.c.' denotes the Hcrmitian conjugate. The other 
relation for r — x can be shown similarly. (End of proof.) 

Does Symmetry Imply the Existence of Squash Oper- 
ators? — A natural question that arises here is: Can 



we eliminate the restriction of 'rank two' appearing in 
Theorem 1? In other words, is cyclic symmetry C4 alone 
sufficient to guarantee the existence of a squash operator? 
Or more generally, is there any types of symmetry that 
is strong enough to ensure its existence? In the remain- 
ing half of this paper, we shall investigate this possibility. 
This question is interesting because if this were actually 
the case, we would need no knowledge about microscopic 
structures of a detector in order to ensure the existence 
of its squash operator. In other words, we would succeed 
in proving the unconditional security of QKD in a device- 
independent way (for security against collective attacks, 
see |13l|). 

Indeed, C4-symmetry is already realized in most con- 
ventional BB84 systems (c.f. the paragraph below Def- 
inition 1). For example, when polarization encoding is 
used, bases z, x can be switched by rotating the detector 
by 45 degrees. In addition, the receiver may interchange 
the assignment of two detectors to output bit b = 0,1 
randomly, by rotating them by 90 degrees and flipping b. 
This may be done, in order to cancel the mismatch be- 
tween two detectors in terms of quantum bit error rate. 
These two types of rotation generate a C4 group. 

Moreover, for some QKD protocols, no knowledge 
about microscopic structures of any components besides 
detectors are needed to prove security. For example, con- 
sider the Bennett-Brassard- Mermin 1992 protocol [ll[, 
where an untrusted third party prepares an entangled 
state. It is clear that if symmetry could actually im- 
ply the existence of squash operators, we would be able 
to prove the security of a QKD system without knowing 
anything of the microscopic structure of the devices, only 
the macroscopic operations by Alice and Bob. 

However, as we shall show below, that is not actually 
the case. The fact is that we can prove a no-go theorem 
that denies all such possibilities. In order to discuss this 
point rigorously, we define general symmetries of POVM 
below, and then present a theorem. 

Definition 2 A set of 'POVM elements {M^ b) } of BB84 
type is symmetric under finite group G, if they transform 
under G as 

V{g)M (rfi) V\g) = M g(Tjh) for g e G, 

with V{g) being a unitary representation of group G. 
Here, map g : (r,b) > (r',b') determines how each 
POVM element M( ri b) is transformed into another ele- 
ment by g G G. 

Theorem 2 No symmetry is sufficient by itself to guar- 
antee the existence of a squash operator. That is, one 
cannot prove a theorem that states that 'For an arbitrary 
G -symmetric set of POVM, there always exists a squash 
operator compatible with the BB84 protocol. ' 

We present below a proof of this theorem. The basic 
strategy here is to show that, if the type of theorems 
as quoted in Theorem 2 holds, it can be used to show 
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the improbable proposition that any arbitrary operator, 
whether symmetric or asymmetric, possesses a squash 
operator. 

Proof of Theorem 2. For an arbitrary set of operators 
M( r {) ) of BB84 type, which may not be symmetric, one 
can always define other G-symmetric operators Mr r ^\ as 

in Hb <8> Ti-D- Here, Hd is an ancilla space which is 
spanned by orthonormal basis {\g)} g ^G^ that is, a set of 
orthonormal states \g) labeled by all elements g G G. M 
is G-symmctric under unitary transformation V as de- 
fined by V(g) :— id B ® i?r>(g) with R D being the regular 
representation of G defined by RoifJ^l^D = \(j1>)d (see, 
e -g-, @)- Hence if one could prove the type of theorems 
quoted in Theorem 2, it would readily follow that there 
is a squash operator for Mr r M. 

On the contrary, however, once such a F is obtained, 
one can also construct squash operator F for the original 
operators M^ r b y In order to see this, note that we have 
for an arbitrary pb €Hb 



Tr [M r p B ] = Tr[M r (p s O|e)(e|) 
= Ti\a r F{p B ®\e){e\) 



with e being the identity element of G. Thus, applying 
F on Pb 55 l e )( e | serves as a correct squash operator for 
p B . This result shows that any POVM M (r>i)) of BB84 
type, whether symmetric or not, possesses a squash op- 
erator. However, this leads to a contradiction because 
there exists the counterexample of POVM Mq defined by 

M 0z = M 0x = a z 

which has no squash operator. 



The fact that Mq does not possess any squash operator 
can be shown, e.g, by the same argument as Bcaudry, Mo- 
roder, and Lutkenhaus used for the six-state protocol [|[, 
but it can alternatively be shown by the following simple 
argument. Consider the situation where Alice and Bob 
perform the BBM92 protocol using Mq as their detec- 
tors, and, as the entanglement source, Eve provides states 
\ipb) :— \b z )A <8> \b z ) B with a bit b S {0, 1} of her choice. 
In this setup, clearly, all sifted key bits b are known to 
Eve, and thus Alice and Bob will never succeed in shar- 
ing secret keys. Hence, the existence of squash operator 
F for Mo would lead to a contradiction, since F could be 
used to prove the unconditional security of this system, 
with the quantum bit error rate measured by Alice and 
Bob being exactly zero. (End of proof.) 

Summary. — In this paper, we first showed that, if 
a given detector is G4-symmetric, and the observable 
M z associated with it has rank two, then there always 
exists a corresponding squash operator compatible with 
the BB84 protocol (Theorem 1). By using this result, 
we then proved that squash operators exist, not only for 
single-mode threshold detectors, but also for multi-mode 
threshold detectors. 

Next, we took up the question of whether this result 
can be generalized to symmetric detectors with arbitrary 
ranks, as an attempt toward the realization of device- 
independent and unconditionally secure QKD protocols. 
However, it turned out that the fact is quite opposite. 
That is, we have succeed in proving that, no matter what 
symmetry one imposes on the detectors, the symmetry is 
never sufficient, by itself, to guarantee the existence of a 
corresponding squash operator (Theorem 2). 
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